Active Directory login scripts in Mac OS X – Part 1: Basic Approaches

In this article you will learn some traditional methods for “applying” Active Directory logon scripts to Mac OS X client computers.

Timothy Warner By Timothy Warner - Thu, September 1, 2011 - 2 comments

Timothy Warner is a Windows systems administrator, software developer, author, and technical trainer based in Nashville, TN.

Articles in this series

Active Directory login scripts in Mac OS X

Here is the scenario: You manage a Windows Server 2008 Active Directory domain that includes both Windows 7- and Mac OS X-based client computers. Your Active Directory login scripts connect your Windows users to various corporate file shares and print queues. However, you need to make these resources available to your Mac OS X clients as well. How do you accomplish this goal?

Well, what are you waiting for? Let’s get to work at answering that question!

The Bitter Truth

As you know, a login script is a script file that contains a sequence of commands to automate our users’ environments. Naturally, the “logon” part of the login script means that the script file is applied during, well, user domain logon.

In Active Directory, we can create login scripts by using either a standard “DOS” shell scripts, or we can employ a Windows Script Host (WSH) compatible scripting language such as VBScript or Jscript. Other programming language options are available, but these are by far the most common.

We deploy login scripts by using either Group Policy or the user’s domain account properties sheet. The logon script files themselves need to be stored in the NETLOGON share of one of your domain controllers; Active Directory replication ensures that all domain controllers possess a copy of the login script file.

The preceding information is all well and good, but where does that help us with respect to applying logon scripts to Mac OS X clients? While Apple has given us rudimentary integration with Active Directory, a Mac system cannot process a DOS shell script or VBScript file—Macs simply do not have the appropriate command interpreters available to them out of the box. In point of fact, Group Policy is utterly irrelevant to the Mac OS X operating system.

NOTE: Third-party products exist that do allow for Group Policy processing on Mac OS X systems. Two notable examples are Centrify DirectControl and PowerBroker Identity Services.

Thus, unless we turn to third-party tools, we have to face the unavoidable conclusion that we must maintain a separate login scripts for Mac OX clients. This brings up the important questions, “Okay, but how do I accomplish this goal?”

To let the proverbial cat out of the bag, in this article series we shall investigate the following options:

  • Defining a login item or login hook
  • Leveraging Open Directory in Mac OS X Server
  • Using a third-party utility

In future installments of this series, we will discuss the second and third bullet points. The focus of this article is to learn how we can create usable login scripts for our Macs with the least amount of effort, at least for the smallest of Mac/Windows environments.

Creating a login item

Login items in Mac OS X are directly analogous to Startup Items in Windows. In other words, these are applications that start up automatically after user login and are executed in the context of the current user.

To see a user’s login items, open the Accounts Preference pane, select the desired user account, and navigate to the Login Items tab.

The simplest way to add a Windows share to a Mac user’s login items list is simply to mount the share on the Mac in another 4sysops.com blog post) and drag the mounted volume to the user’s Login Items list.

Mac login scripts in Active Directory - Adding a Login Item

Adding a Login Item

If you are looking for more robustness in how the SMB mount is performed, then allow me to suggest AppleScript. AppleScript is an interpreted scripting language that is almost as old as the Mac OS itself. Following is an extremely basic AppleScript that mounts the aforementioned SMB share:

try

mount volume “smb://user@server/share”

end try

You can search online to find samples of more comprehensive AppleScript SMB scripts that include error checking, conditional logic, and so forth.

The key to using an AppleScript file as a login script is that you first need to save the script as an application (these have the .app extension by default). From the Apple Script Editor, click File > Save As and select Application from the File Format popup menu.

Mac login scripts in Active Directory  - Saving an AppleScript as an application

Saving an AppleScript as an application

You can then drag the AppleScript .app file to the user’s Login Items preference pane, as usual.

Mac login scripts in Active Directory- The finished configuration

The finished configuration

Creating a login hook

Whereas a login item runs in the context of the currently logged on user, a login hook runs with root (superuser) privilege. Thus, login hooks tend to be much more powerful and have more capability than login items.

To define a login hook, you’ll first need to compose a UNIX shell script that performs the actions you desire. For instance, the following code creates a folder on the user’s Desktop and mounts a Server Message Block (SMB) Windows share named winshare from a Windows server named server01:

#!/bin/sh

mkdir /Users/tim/Desktop/winshare

mount_smbfs //username:password@server01/winshare /Users/tim/Desktop/winshare

KillAll Terminal

exit

UNIX shell scripts typically have the .sh file extension. However, in this case we need to change the extension to .command as well as make the shell script executable. To perform this latter action, issue the following command from Terminal:

chmod +x filename.command

The final step is to create the login hook proper. From Terminal, issue the following statement:

sudo defaults write com.apple.loginwindow LoginHook /path/to/filename.command

where /path/to represents the path that leads to the .command shell script.

If for any reason you need to remove a previously created login hook, issue the following statement from Terminal:

sudo defaults delete com.apple.loginwindow LoginHook

Conclusion

While the techniques discussed in this blog post will work just fine for very small Mac/Windows environments with, say, 10 or fewer Macs, they are obviously unworkable for larger-scale implementations.

To this end, in the following installments of this series we will examine some methods for deploying login scripts to several Mac OS X clients in a more centralized manner. Advance warning: the next procedure we will examine involves Mac OS X Server with Open Directory, and will include almost no reference to Windows at all. The horrors, the horrors! Thanks for reading!

For further study

Series Navigation - Active Directory login scripts in Mac OS X – Part 2: Using Open Directory

-1+1 - Rate this post
Loading ... Loading ...
Disclaimer
Your question wasn't answered? Please ask in the new 4sysops forum!

2 Comments- Leave a Reply

  1. prasanna says:

    I tried to execute a shell script while logon using login hook. It is working fine for root user. Is it possible to execute the shell script using non-root user.

    I tried with the login items by adding the shell script, but no luck.

    Is there any way to execute shell scripts while logon by non-root users

  2. stein says:

    I discovered that the hook running as root causes problems also. Primarily it changes the permisions and the user can’t see the folder on the desktop any longer because it is only available to root.

    And of course I don’t want to log into the server as root.

    According to this page

    http://support.apple.com/kb/Ht2420

    the short username is in $1 (you have to click more near the top to see it though)

    So I tried a script like
    #!/bin/sh
    su – $1
    txtUSER=$(whoami)
    mkdir /Users/$txtUSER/Desktop/Fdrive
    mount_smbfs //MY_SERVER/sys /Users/$txtUSER/Desktop/Fdrive
    mkdir /Users/$txtUSER/Desktop/Hdrive
    mount_smbfs //MY_SERVER/home/$txtUSER /Users/$txtUSER/Desktop/Hdrive
    KillAll Terminal
    exit

    This script will run (without the su -$1) fine when placed in the users login items.

    Note: To get the shortcuts to show on the desktop the user will need to go to finder -> preferences and check connected servers.

    Hope this helps someone else. Wished I could figure out how to switch users to run this command from the hook.
    –Stein

Please share your thoughts in a comment!

Login

Lost your password?